Symantec Paws at ZeroAccess Botnet
Symantec has smacked ZeroAccess upside the head, but the botnet may just shake it off and get back to its malicious work. Disabling part of a botnet "limits the damage and replication capabilities in the short term," remarked Kevin O'Brien, enterprise solution architect at CloudLock. "It's accurate to state that the botnet can heal itself, however, so this is a Band-Aid and not a cure."
10/01/13 2:33 PM PT
Symantec has removed more than 500,000 infected PCs from the botnet created by the ZeroAccess Trojan.
ZeroAccess uses a peer-to-peer mechanism. It is the latest technique botnet authors have adopted to avoid having their networks taken down by security experts.
Symantec used a DNS sinkhole to fight the ZeroAccess botnet.
There are two variants of ZeroAccess. The second version, which appeared in 2012, had 1.9 million infected PCs as of August 2013, and it was the one Symantec attacked, Symantec security researcher Vikram Thakur told TechNewsWorld.
Version 1 infected 30,000 machines "a long time ago and never got cleaned up," he said.
The attack "made a sizeable dent" in the botnet, Thakur pointed out. "ISPs and CERTs are using information from us to detect and clean up many more than 500,000 ZeroAccess-infected hosts now."
Details of Symantec's Attack
Version 2 of the ZeroAccess botnet operated under four ports in two pairs, Thakur said. One pair is for x86 machines and the other for x86 64-bit computers.
"Our action was against two of those four ports -- one in each pair," Thakur said, which "made up 50 percent of the ZeroAccess Version 2 global infection count."
In P2P botnets, compromised PCs talk to each other rather than to a central command and control server, which makes them resilient.
Symantec basically used cyberjudo on the botnet. It emulated participation within the botnet and advertised its presence to a "very large number of bots," Thakur disclosed.
These bots then reached out to Symantec-controlled systems for updates. Symantec returned a list of servers it owned in response, and "at this point the bots were sinkholed and could only communicate with Symantec-controlled servers," commented Thakur.
Just a Love Tap
The two variants of ZeroAccess are organized into seven disjointed networks, according to a paper published jointly by CrowdStrike, Dell SecureWorks and other collaborators in May.
Hitting only one variant may not have been enough because of the resilience of P2P botnets.
"All DNS entries to the initial seeding servers in these decentralized networks need to be taken down around the same time in order for any crippling effect to be seen on this type of design," Tommy Chin, technical support engineer at CORE Security, told TechNewsWorld.
Disabling part of a botnet "limits the damage and replication capabilities in the short term," remarked Kevin O'Brien, enterprise solution architect at CloudLock. "It's accurate to state that the botnet can heal itself, however, so this is a Band-Aid and not a cure."
Nonetheless, sinkholing ZeroAccess "is a very good way to analyze exactly how it works and what it does," Chin continued. "The information can be used to advance Symantec's software with better detection algorithms."
Kicking ZeroAccess' Owners in the Wallet
ZeroAccess botnets engage in click fraud and Bitcoin mining, generating "tens of millions of dollars in revenue," Symantec's Thakur said. Its attack "has disrupted the revenue stream for these cybercriminals and severely hampered their operations."
Reducing the number of infected machines "does impact the organizers' potential revenue from its activities," CloudLock's O'Brien told TechNewsWorld.
However, "this is a questionable strategy and based on assumptions that may not prove true -- that a rational actor is behind the botnet, one who will at some point walk away from a smaller take," O'Brien pointed out.
No Rest From the Wicked
Expect more P2P botnets to crop up, Symantec's Thakur warned.
The primary defense against botnets is end-point security -- localized antivirus solutions, O'Brien suggested.
"The initial infection phase via ZeroAccess is not obfuscated, and relies upon the ability to modify explorer.exe; protecting this process and/or restricting user access to non-admin/ring-0 credentials should prevent the infection from taking hold," he explained.
Increasing the number of network address translation gateways, improving app-level security, and preventing users from running compromised systems or applications are the next steps.